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Index Terms 
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Abstract 

I describe some inconsistencies in John Rushby’s axiomatization of time-triggered algorithms that he 
presents in these transactions and that he formally specifies and verifies in a mechanical theorem-prover. 
I also present corrections for these inconsistencies. 


I. Introduction 

This note’s purpose is to make a few minor corrections to John Rushby’s paper, Systematic 
Formal Verification for Fault-Tolerant Time-Triggered Algorithms, appearing in Vol. 25, No. 5 
of these transactions [1]. Rushby presents four principle assumptions (or axioms) about the 
behavior of time-triggered systems. He describes his use of these axioms in the systematic 
formal specification and verification of time-triggered systems in the mechanical theorem-prover 
PVS [2]. Two of these four axioms are inconsistent; in fact, one is inconsistent in three separate 
ways. Once the axioms are made consistent, one axiom is redundant; it is a corollary of the 
other. Finally, a contradiction can be derived from another of the four axioms and some other 
minor axioms in the formal specification. These inconsistencies appear in both the printed paper 
and the PVS specifications, but when the printed axioms are ambiguous due to being more 
informally stated, I defer to the PVS specifications. 

I discovered these errors while attempting to interpret these axioms by formally providing 
a model using theory interpretations in PVS [3]. When the “canonical model” did not satisfy 
the axioms, 1 I quickly realized these axioms not only fail to model the domain but are in 
fact inconsistent. Once the errors were discovered, it was fairly straightforward to mend them. 2 
Rushby’s formal proofs do not depend on the inconsistencies. However, these specifications are 
intended to be systematic and reusable; in the hands of someone without Rushby’s expertise, 
this danger very much exists. 

I I would like to thank Paul Miner of the NASA Langley Formal Methods Group for suggesting Axioms 2 and 3 are necessary 
to axiomatize a canonical clock. He also pointed out that these changes imply that Theorem 5 holds. 

“The mended formal specifications, along with a formal theory interpretation, can be found at <http : / /here . com>. 
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This comment does not suggest a failure of formal verification. Rushby is widely considered 
to be an expert (if not the expert) in the mechanized verification of fault-tolerant real-time 
systems, particularly in PVS. These errors escaped his attention, despite formally verifying the 
theory. They also apparently escaped the attention of the reviewers of these transactions and the 
numerous researchers who have cited this work, including this author. 3 Because these relatively 
elementary errors went unnoticed by both Rushby and his peers, this is further evidence that for- 
mal verification is crucial to ensure the correctness of a specification. However, a mechanically- 
checked specification and verification is only as sound as one’s axioms. The lesson here is the 
axiomatization of real-time systems is extremely difficult, and to ensure that the axioms are 
consistent and correctly model the domain, a formal verification should include a demonstration 
that some (canonical) implementation satisfies one’s formal specifications. 

II. Inconsistencies and Corrections 

I begin by stating Rushby’s definition of inverse clocks and Clock Drift Rate Axiom. 

Definition 1 ( Inverse Clock): An inverse clock for process p is a total function C p : M — > N. 
The domain of an inverse clock is called realtime and the range is called clocktime. The drift 
of nonfaulty clocks is bounded by a realtime constant 0 < P < 1: 

Axiom 1 (Clock Drift Rate): (1 — p)(£i — £ 2 ) < C p (tf) — C p (t 2 ) < (1 + p){t\ — £ 2 ). 

Theorem 1: Axiom 1 is inconsistent. 

Proof: Let t- 2 > t x . Then (1 — p)(ti — t 2 ) > (1 + p)(£i —t 2 ). ■ 

Axiom 1 can be revised as follows: 

Axiom 2 (Clock Drift Rate (First Revision)): Let t\ > t 2 . Then (1 — p)(/| — t 2 ) < C p (ti) — 
Cp(t 2 ) < (1 + p)(£ 1 — £ 2 )- 
However, even this is unsatisfiable: 

Theorem 2: Axiom 2 is inconsistent. 

Proof: Let t x > t 2 such that (1 + p)(£ x — t 2 ) — (1 — p)(£i — t 2 ) < 1 and there exists no 
n G N such that (1 — p)(£i — t 2 ) < n < (1 + p)(£i — t 2 ). ■ 

3 Rushby’s paper has not only appeared in these transactions since 1999, but an an earlier version appeared in the IEEE 
Proceedings of the Sixth Working Conference on Dependable Computing for Critical Applications [4], The paper has been 
well-cited, even in the very recent literature. For example, A quick search on Google Scholar finds 36 citations; the author 
knows of at least three citations appearing in work published in 2004. 
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I weaken the inequality by taking the floor and ceiling of the drifts: 

Axiom 3 (Clock Drift Rate (Second Revision)): Let ! \ > f 2 . Then [_(1— p)(ti— £ 2 )] < C p (t\) — 
C P (t 2 ) < [(1 +p)(fi -t 2 ) 1 • 

Even with these revisions, no function satisfying Axiom 3 is an inverse clock, as defined by 
Definition l. 4 

Theorem 3: No inverse clock satisfies Axiom 3. 

Proof: By contradiction. The set N is totally ordered with a least element, so there exists 
some t 6 K such that C p (t ) < C p (t') for all f G M. Let t" G M, where t" < t, such that 
L(1 — p)(t — t") J > 0. By Axiom 3, |_(1 — p)(t — t") J + C p (t ") < C p (t). However, because 
L(1 — p)(t — t") J is assumed to be strictly greater than zero, C p (t ") < C p (t), contradicting our 
assumption that C p (t) is least. ■ 

I therefore extend the range of an inverse clock from N to Z. 

Definition 2 (Revised Inverse Clock): An inverse clock for process p is a total function C p : 

M — * Z. 

Note that the inconsistencies in Axioms 1 and 2 hold regardless of whether an inverse clock is 
defined by Definition 1 or Definition 2. 

A second inconsistent axiom is the Monotonicity Axiom. Nonfaulty clocks are monotonic: 
Axiom 4 (Monotonicity): t,\ < t 2 implies C p {tf) < Cpit-fi. 

Theorem 4: Axiom 4 is inconsistent (with respect to either Definition 1 or Definition 2). 

Proof: Because < is a total order over M, Axiom 4 implies that C p is an injective function, 
but there exists no injection from the reals into the natural numbers (or integers). ■ 

A satisfiable revision of monotonicity weakens the antecedent slightly: 

Axiom 5 (Revised Monotonicity): t\ < f 2 implies C p {tf) < C p (f 2 ). 

Axiom 5 now becomes a corollary of Axiom 3: 

Theorem 5: Let Axiom 3 hold. Prove Axiom 5. 

Proof: By Axiom 3, C p (t 2 ) > C p {ti ) + [(1 - p)(t 2 - H)J. ■ 

The third inconsistency can be derived from the axiomatization of when messages are sent 
and received by nonfaulty processes. Let sent p (q, m, t ) be a relation that holds if process p 


4 It should already be intuitive that Definition 1 is incorrect, since, e.g., a canonical inverse clock function like the floor 
function does not satisfy Axiom 3. 
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sends message m to process q at realtime t. Similarly, let recvfp, m , t) be a relation that holds 
if process q receives message m from process p at realtime t. The following axiom relates the 
delay between when a nonfaulty process sends a message and when a nonfaulty process receives 
it. Let the maximum delay be a realtime constant such that 5 > 0. 

Axiom 6 ( Maximum Delay): sent p (q. m, t ) if and only if there exists some realtime delay 
0 < d < 6 such that recv q (p , m, t + d). 

Theorem 6: If 5 > 0, then Axiom 6, together with other minor axioms and constraints in the 
formal specification, is inconsistent. 

Proof: (Sketch.) The essential problem is that the existential quantifier is within the scope 
of the biconditional operator in Axiom 6. As stated, Axiom 6 implies that for all realtimes t, 
if there exists a 0 < d < 5 such that recv q (p, m , t + d), then sent p (q , m, t). It can be shown 
that there exists some t such that recv q (p, iri, t + d). Because d ranges over the interval [0, 5], 
there exists a realtime t' and realtime delay 0 < d' < 5 such that d' f d and t' + d' — t + d, 
implying that sent p (q, m, t) and sent p (q, m, t'), where the distance between t and t' is less 
than 5. However, by other constraints, no two separate realtimes within 5 of each other satisfy 
sent. ■ 

A possible consistent revision is as follows: 

Axiom 7 (Maximum Delay (Revised)): There exists some 0 < d < 5 such that sent p (q, rn, t ) 
if and only if recv q (p, m, t + d), and there exists some 0 < d' < 5 such that recv q (p, m, t) if 
and only if sent p (q, m, t — <f). 
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